You type a question in Copilot Chat and see the error: This prompt was blocked by your organization. This message stops your work and leaves you without an answer. The block happens because of content filtering rules set by your IT admin in Microsoft 365. This article explains why the block occurs and shows the exact steps to resolve it.
Your organization uses sensitivity labels and data loss prevention policies to control what Copilot can process. When a prompt matches a restricted category such as confidential financial data or HR records, Copilot blocks the entire request. The block is not a glitch — it is a deliberate security control.
You will learn how to identify the policy that caused the block and how to request an exception or adjust your prompt. The fix depends on whether you are an end user or an admin. Both scenarios are covered below.
Key Takeaways: Resolving Copilot Prompt Blocks
- Microsoft 365 admin center > Data classification > Sensitivity labels: Labels applied to documents and emails determine which content Copilot can read
- Microsoft 365 admin center > Compliance > Data loss prevention: DLP policies block prompts that contain sensitive information types such as credit card numbers or health data
- Copilot Chat > Settings > Data sources: Users can check which Microsoft Graph data sources are enabled and exclude restricted content from future prompts
Why Copilot Blocks a Prompt Based on Organization Policy
Copilot evaluates every prompt against three layers of policy before it generates a response. The first layer is sensitivity labels. Your IT admin assigns labels such as Confidential, Internal, or Highly Restricted to documents, emails, and sites. When your prompt references a labeled file or asks Copilot to summarize it, the system checks whether your account has permission to access that label. If the label is set to block Copilot access, the prompt is rejected.
Data Loss Prevention Policies
The second layer is data loss prevention or DLP. DLP policies scan the text of your prompt for sensitive information types. Common triggers include Social Security numbers, bank account numbers, passport numbers, and health diagnosis codes. If the prompt contains a string that matches a DLP rule, Copilot blocks the entire conversation and logs the event in the Microsoft 365 audit log.
Conditional Access and App Policies
The third layer is conditional access. Your admin can restrict Copilot Chat to specific device platforms, network locations, or authentication methods. If you are connecting from an unmanaged device or a public Wi-Fi network that does not meet the policy requirement, Copilot returns the blocked prompt error instead of a response.
The error message does not tell you which policy triggered the block. You must check the audit log or contact your admin to see the exact rule that was violated.
Steps to Identify the Blocking Policy and Fix the Prompt
Follow these steps to find out why your prompt was blocked and how to unblock it. The steps are different for users and for admins.
For End Users: Request Access or Rephrase the Prompt
- Copy the exact error message
Open Copilot Chat and reproduce the block. Select the error text and copy it to your clipboard. Include the timestamp shown in the error. - Check your prompt for sensitive terms
Review the prompt you typed. Remove any words that refer to financial figures, medical conditions, legal case numbers, or employee identifiers. Replace generic terms such as salary data with compensation structure or patient records with client notes. - Submit the prompt again
Paste the rephrased prompt into Copilot Chat. If the block disappears, the original prompt contained a term that matched a DLP rule. Continue using rephrased language for similar requests. - Contact your IT admin
If the block persists after rephrasing, send the error message and timestamp to your IT support team. Ask them to check the audit log for the specific policy that blocked the prompt. Request an exception if the prompt is work-critical.
For Admins: Locate the Policy and Adjust the Rule
- Open the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with an account that has the Global Admin or Compliance Admin role. - Navigate to the audit log
Select Compliance from the left menu. Then go to Audit. Search for Copilot interaction or Prompt blocked using the user’s timestamp. The audit record shows the policy name and the rule that triggered the block. - Review the sensitivity label
In the audit record, look for the field SensitivityLabelId. Copy the label ID. Go to Data classification > Sensitivity labels in the admin center. Find the label and check its Copilot access setting. If it is set to Block, change it to Allow or Audit only. - Review the DLP policy
If the audit record shows a DLP policy, go to Data loss prevention in the admin center. Select the policy and open the rule that matched. Adjust the Actions section to set the rule to Audit only instead of Block. Save the policy and wait up to 24 hours for the change to apply. - Test the fix
Ask the user to send the same prompt again. Confirm that Copilot Chat returns a response instead of the block error.
If Copilot Still Blocks Prompts After the Policy Fix
Sometimes the block continues even after you adjust the sensitivity label or DLP rule. The following issues explain why and how to resolve them.
The Block Is Caused by a Conditional Access Policy
Conditional access policies are separate from sensitivity labels and DLP. Go to Microsoft Entra admin center > Protection > Conditional Access. Look for policies that target the Microsoft Copilot cloud app. Check the Conditions section for device platform, location, and client app restrictions. If the policy blocks all external networks, users must connect through a VPN or a corporate network to use Copilot Chat.
Copilot Chat Shows the Block on a File That Was Shared Externally
When a file is shared with users outside your organization, Copilot may block prompts that reference it. The block happens because the file carries a sensitivity label that restricts external access. To fix this, remove the external share or change the label to a less restrictive one. Go to the file in SharePoint or OneDrive, select Manage access, and revoke external links.
The Prompt Block Appears Only in Copilot Chat but Not in Copilot in Word
Copilot Chat uses a different set of policies than Copilot embedded in Microsoft 365 apps. Check the Copilot pane > Settings > Data sources in the Word, Excel, or PowerPoint app. If the data source is set to Only Microsoft Graph, Copilot in Word may bypass the DLP rule that blocks Copilot Chat. To align the behavior, update the DLP rule to apply to both Copilot Chat and Copilot in Microsoft 365 apps in the policy scope.
| Item | Copilot Chat | Copilot in Microsoft 365 Apps |
|---|---|---|
| Policy scope | Uses DLP and sensitivity labels from Microsoft 365 compliance center | Uses DLP and sensitivity labels plus app-specific settings in Word, Excel, PowerPoint |
| Error message | Shows explicit block text: This prompt was blocked by your organization | May show a generic error or refuse to generate without the block message |
| Audit log entry | Always logged as Copilot interaction with policy details | Logged only when the block is triggered by a DLP rule, not by app-level settings |
| Fix method | Adjust DLP rule or sensitivity label in admin center | Adjust app-level data source settings or DLP rule |
After you adjust the policy, remember that changes to DLP rules and sensitivity labels can take up to 24 hours to propagate across all Microsoft 365 services. Test the fix with the original prompt that was blocked. If the block persists, check the conditional access policies in Microsoft Entra. For ongoing work, rephrase prompts to avoid terms that match DLP sensitive information types. This approach reduces the chance of future blocks without requiring admin intervention.